Performance Tuning Guide
This guide provides recommendations for tuning CyberDoyen SIEM to maximize performance, ensuring efficient data processing and minimal latency.
1. Optimize Elasticsearch Configuration
Elasticsearch is the backbone of CyberDoyen SIEM, and its performance is critical to the overall system.
Key Configuration Parameters
| Parameter | Description | Recommended Value |
|---|---|---|
index.refresh_interval | Controls how often new data is indexed. | 1s |
index.number_of_shards | Number of shards per index, affects performance. | 1 for smaller datasets, 2-3 for larger datasets |
index.number_of_replicas | Number of replicas per index, provides fault tolerance. | 0 for single-node setups, 1 for production environments |
cluster.routing.allocation.disk.watermark.low | Controls disk space thresholds for allocation. | 70% |
cluster.routing.allocation.disk.watermark.high | Controls the high watermark for disk space. | 85% |
Tip: Reducing the number of replicas or adjusting shard allocation can drastically improve query and indexing speeds.
Elasticsearch Configuration Example
# /opt/CyberDoyen/config/elasticsearch.yml
index:
refresh_interval: 1s
number_of_shards: 1
number_of_replicas: 0
cluster.routing.allocation.disk.watermark.low: 70%
cluster.routing.allocation.disk.watermark.high: 85%2. Filebeat Tuning
Filebeat is used to send logs to CyberDoyen SIEM. Proper tuning of Filebeat ensures optimal log shipping and minimal overhead.
Key Configuration Parameters
| Parameter | Description | Recommended Value |
|---|---|---|
output.elasticsearch.bulk_max_size | The maximum number of events to bulk together. | 1024 |
filebeat.registry.flush | Interval to flush the registry for file reading. | 5s |
filebeat.scan_frequency | Frequency to scan new logs in the specified paths. | 10s |
Filebeat Configuration Example
# /opt/CyberDoyen/config/filebeat.yml
output.elasticsearch:
bulk_max_size: 1024
filebeat.registry.flush: 5s
filebeat.scan_frequency: 10s3. Database Performance Tuning
If using external databases for user authentication, query logging, or other integrations, ensure that database performance is optimized to handle high read and write loads.
Key Database Tuning Recommendations
| Parameter | Description | Recommended Value |
|---|---|---|
max_connections | Maximum number of simultaneous database connections. | 100 for moderate use, 500+ for high load environments |
innodb_buffer_pool_size | Amount of memory allocated for InnoDB storage engine. | 70-80% of total system memory |
query_cache_size | Cache size for database queries. | 0 (recommended to disable for modern databases) |
query_cache_type | Enables query cache for repeated queries. | OFF (for high-performance setups) |
Tip: Make sure your database’s read/write throughput is high enough to handle the volume of incoming and outgoing data from CyberDoyen SIEM.
MySQL Database Configuration Example
# /etc/mysql/my.cnf
[mysqld]
max_connections = 100
innodb_buffer_pool_size = 80% of system memory
query_cache_size = 0
query_cache_type = OFF4. JVM Performance Tuning
Since CyberDoyen SIEM relies on Java Virtual Machine (JVM) for runtime, proper JVM tuning is crucial for memory management and garbage collection.
Key JVM Configuration Parameters
| Parameter | Description | Recommended Value |
|---|---|---|
Xms | Initial heap size for the JVM. | 4GB |
Xmx | Maximum heap size for the JVM. | 16GB |
Xss | Stack size per thread. | 256k |
GC | Garbage Collection settings to minimize pauses. | G1GC (recommended) |
JVM_OPTS | Set of additional JVM options. | -XX:+UseG1GC |
JVM Configuration Example
# /opt/CyberDoyen/config/jvm.options
-Xms4g
-Xmx16g
-Xss256k
-XX:+UseG1GC5. Network Performance Tuning
Network latency can impact the performance of data ingestion and communication between CyberDoyen SIEM components.
Key Network Tuning Recommendations
| Parameter | Description | Recommended Value |
|---|---|---|
tcp_rmem | Defines the minimum, default, and maximum receive buffer sizes. | 4096 87380 16777216 |
tcp_wmem | Defines the minimum, default, and maximum send buffer sizes. | 4096 87380 16777216 |
net.core.rmem_max | Maximum receive buffer size. | 16777216 |
net.core.wmem_max | Maximum send buffer size. | 16777216 |
Tip: Ensure your network interface has enough bandwidth to handle the throughput required by CyberDoyen SIEM.
Linux Network Tuning Example
# /etc/sysctl.conf
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
tcp_rmem = 4096 87380 16777216
tcp_wmem = 4096 87380 167772166. General Performance Recommendations
In addition to the specific configurations above, here are some general best practices for improving CyberDoyen SIEM performance:
| Best Practice | Description | Recommended Action |
|---|---|---|
| Disk I/O Optimization | Use SSDs for storage to significantly improve read/write speeds. | Use SSDs for Elasticsearch and Filebeat storage. |
| Avoid Over-Indexing | Ensure you are indexing only the necessary fields to minimize data bloat. | Use index templates and mapping to limit unnecessary fields. |
| Use Data Retention Policies | Set retention policies to keep data only for the necessary duration. | Configure log rotation and data retention in Elasticsearch. |
| Cluster Scaling | Use a multi-node cluster to distribute the load evenly. | Set up Elasticsearch in a multi-node cluster for high availability and load balancing. |
Conclusion
By tuning the various components of CyberDoyen SIEM—including Elasticsearch, Filebeat, JVM, and network—you can significantly improve system performance, reduce latency, and scale your deployment to handle larger volumes of security events.
For more advanced configurations and cluster setup, refer to the Configuration Guide.